[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Q: Where should do I put a max amount in a X.509v3 certificate?

To: "Yee, Peter" <pyee@xxxxxxxxxxxxxxx>
Subject: Re: Q: Where should do I put a max amount in a X.509v3 certificate?
From: Dale Gustafson <degustafson@xxxxxxxxxxxx>
Date: Mon, 11 Mar 2002 09:26:34 -0600
Cc: "'Tim Polk'" <tim.polk@xxxxxxxx>, Roberto Opazo Gazmuri <roberto@xxxxxxxx>, "PKIX (Grupo de la IETF)" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Hi Peter,

Actually, similar things are suggested in "Planning for PKI, Best
Practices for deploying the PKI" by Russ Housley and Tim Polk -- see the
section subtitled "Attribute Certificates", pp 274 - 277.  Note that the
entire chapter is titled "Future Developments" so, presumably, one needs
to proceed with appropriate caution.

In any event, the rationale for placing such an attribute within a
separate Attribute Certificate is clearly spelled out:

1) a Certification Authority is most likely "not authoritative" for this
kind of information

2) this kind of information is also likely to change frequently which
would cause highly undesirable certificate churn if included in x.509 v3
ID certificates.

In contrast, an application-specific attribute could be certified by an
authoritative AA and carried in an Attribute Certificate.  The AC is
defined as an extension of a suitable ID certificate.  Such would be
necessary but perhaps not sufficient for general use of ACs to convey
application-specific user priviledges.  For example, since much attribute
information is not disclosed outside a well-defined group of relying
parties, there would also need to be a (general purpose?) mechanism to
limit access to AC information exchanged.

Best Regards,

Dale Gustafson

"Yee, Peter" wrote:

> Tim suggests using a policy qualifier, private extension, or
> subject directory attribute.  (And OCSP, with which I really have
> to disagree respectfully).  I'll offer another alternative: attribute
> certificates.  These seem to be a natural fit and were suggested for
> just such a purpose.
>
> Sure, I'm glossing over the plethora of software that actually
> supports ACs, but most of the other suggestions aren't implemented
> either. :-)
>
>                                                 -Peter Yee
>                                                 pyee@xxxxxxxxxxxxxxx

References:
- RE: Q: Where should do I put a max amount in a X.509v3 certificate?
  - From: Yee, Peter

Prev by Date: Re: Q: Where should do I put a max amount in a X.509v3 certificat e?
Next by Date: Re: Q: Where should do I put a max amount in a X.509v3 certificate?
Previous by thread: Draft PKIX Agenda for Minneapolis
Next by thread: Re: Q: Where should do I put a max amount in a X.509v3 certificate?
Index(es):
- Date
- Thread